Callback uris are stored in context.callback .

Author: rohe

src/oidcrp/configure.py

@@ -14,7 +14,7 @@
 try:
     from secrets import token_urlsafe as rnd_token
 except ImportError:
-    from oidcendpoint import rndstr as rnd_token
+    from cryptojwt import rndstr as rnd_token
 
 DEFAULT_FILE_ATTRIBUTE_NAMES = ['server_key', 'server_cert', 'filename', 'template_dir',
                                 'private_path', 'public_path', 'db_file']

src/oidcrp/oauth2/__init__.py

@@ -3,6 +3,7 @@
 
 from oidcmsg.exception import FormatError
 
+from oidcrp.configure import URIS
 from oidcrp.entity import Entity
 from oidcrp.exception import OidcServiceError
 from oidcrp.exception import ParseError

src/oidcrp/oidc/__init__.py

@@ -2,6 +2,7 @@
 import logging
 
 from oidcrp.client_auth import BearerHeader
+from oidcrp.oidc.registration import CALLBACK_URIS
 
 try:
     from json import JSONDecodeError
@@ -112,6 +113,15 @@ def __init__(self, client_authn_factory=None,
                                keyjar=keyjar, verify_ssl=verify_ssl, config=config,
                                httplib=httplib, services=_srvs, httpc_params=httpc_params)
 
+        _context = self.get_service_context()
+        if _context.callback is None:
+            _context.callback = {}
+
+        for _cb in CALLBACK_URIS:
+            _uri = config.get(_cb)
+            if _uri:
+                _context.callback[_cb] = _uri
+
     def fetch_distributed_claims(self, userinfo, callback=None):
         """
 

src/oidcrp/oidc/end_session.py

@@ -54,13 +54,14 @@ def get_id_token_hint(self, request_args=None, **kwargs):
 
     def add_post_logout_redirect_uri(self, request_args=None, **kwargs):
         if 'post_logout_redirect_uri' not in request_args:
-            try:
-                request_args[
-                    'post_logout_redirect_uri'
-                ] = self.client_get("service_context").register_args[
-                    'post_logout_redirect_uris'][0]
-            except KeyError:
-                pass
+            _context = self.client_get("service_context")
+            _uri = _context.register_args.get('post_logout_redirect_uri')
+            if _uri:
+                request_args['post_logout_redirect_uri'] = _uri
+            else:
+                _uris = _context.callback.get("post_logout_redirect_uris", [])
+                if _uris:
+                    request_args['post_logout_redirect_uri'] = _uris[0]
 
         return request_args, {}
 

src/oidcrp/oidc/registration.py

@@ -7,7 +7,6 @@
 from oidcmsg import oidc
 from oidcmsg.oauth2 import ResponseMessage
 
-from oidcrp.oidc.provider_info_discovery import add_redirect_uris
 from oidcrp.service import Service
 
 __author__ = 'Roland Hedberg'
@@ -81,7 +80,7 @@ def create_callbacks(issuer: str,
         res["request_uris"] = f"{base_url}/req_uri/{_hex}"
 
     if backchannel_logout_uri or frontchannel_logout_uri:
-        res["post_logout_redirect_uri"] = f"{base_url}/session_logout/{_hex}"
+        res["post_logout_redirect_uris"] = [f"{base_url}/session_logout/{_hex}"]
 
     if backchannel_logout_uri:
         res["backchannel_logout_uri"] = f"{base_url}/bc_logout/{_hex}"
@@ -163,7 +162,7 @@ def add_callbacks(context, ignore: Optional[List[str]] = None):
     context.set('callback', callbacks)
 
 
-CALLBACK_URIS = ["post_logout_redirect_uri", "backchannel_logout_uri", "frontchannel_logout_uri",
+CALLBACK_URIS = ["post_logout_redirect_uris", "backchannel_logout_uri", "frontchannel_logout_uri",
                  "request_uris", 'redirect_uris']
 
 

src/oidcrp/rp_handler.py

@@ -248,6 +248,7 @@ def do_client_registration(self, client=None,
         """
         Prepare for and do client registration if configured to do so
 
+        :param iss_id: Issuer ID
         :param behaviour_args: To fine tune behaviour
         :param client: A Client instance
         :param state: A key by which the state of the session can be
@@ -267,8 +268,8 @@ def do_client_registration(self, client=None,
         self.hash2issuer[iss_id] = _iss
 
         # This should only be interesting if the client supports Single Log Out
-        if _context.post_logout_redirect_uris is None:
-            _context.post_logout_redirect_uris = [self.base_url]
+        # if _context.callback.get("post_logout_redirect_uris") is None:
+        #     _context.callback["post_logout_redirect_uris"] = [self.base_url]
 
         if not _context.client_id:  # means I have to do dynamic client registration
             if request_args is None:

src/oidcrp/service_context.py

@@ -103,7 +103,7 @@ class ServiceContext(OidcContext):
         "httpc_params": None,
         'issuer': None,
         "kid": None,
-        "post_logout_redirect_uris": [],
+        "post_logout_redirect_uri": '',
         'provider_info': None,
         'redirect_uris': None,
         "requests_dir": None,
@@ -137,7 +137,7 @@ def __init__(self, base_url="", keyjar=None, config=None, state=None, **kwargs):
         self.client_secret_expires_at = 0
         self.behaviour = {}
         self.provider_info = {}
-        self.post_logout_redirect_uris = []
+        self.post_logout_redirect_uri = ''
         self.redirect_uris = []
         self.register_args = {}
         self.registration_response = {}

tests/pub_client.jwks

@@ -1 +1 @@
-{"keys": [{"kty": "RSA", "use": "sig", "kid": "SUswNi1MRFlDT0Y2YjU1Z1RfQlo2S3dEa3FTTkV3LThFcnhDTHF5elk2VQ", "n": "0UkUx2ewKyc-XJ1o0ToyGjws_JybAMZj2oYjsPyyvQ_T5dhZ2VmRRRkhsaVJ2xE_GGc7mSG0IjmGFyXp5y0w4mJBcsAEE5-8eBTvQdYIryjW74r3jt6Fi4Hlm1yFMTie3apv8mw79BUj-jT0kh3_m-FiKKUvLsq45DcLtTJ4cx7Ize37dl1sFSpQcoYMk7eiUEM8fiNboiVwvBYNAWVMkUM-LnVUPm3UjvKp0LihYEkZFWOxmuQmj2x25SFUkjus38ERrRqJQBZduxdBHFrWtWg8yOA53BkMU0FFg_r0H3ctl-5GaKw-BWlogU4qXnsq85xy0EoenRk7FPV8g_ulJw", "e": "AQAB"}, {"kty": "EC", "use": "sig", "kid": "NC1pdGRQN002bWM3bk1xX2R0SktscElqbFdtN29ITDV2WVd2b0hOYzREVQ", "crv": "P-256", "x": "kK7Qp1woSerI7rUOAwW_4sU6ZmwV3wwXKX3VU-v2fMI", "y": "iPWd_Pjq6EjxYy08KNFZ3PxhEwgWHgAQTTknlKMKJA0"}]}
+{"keys": [{"kty": "RSA", "use": "sig", "kid": "SUswNi1MRFlDT0Y2YjU1Z1RfQlo2S3dEa3FTTkV3LThFcnhDTHF5elk2VQ", "e": "AQAB", "n": "0UkUx2ewKyc-XJ1o0ToyGjws_JybAMZj2oYjsPyyvQ_T5dhZ2VmRRRkhsaVJ2xE_GGc7mSG0IjmGFyXp5y0w4mJBcsAEE5-8eBTvQdYIryjW74r3jt6Fi4Hlm1yFMTie3apv8mw79BUj-jT0kh3_m-FiKKUvLsq45DcLtTJ4cx7Ize37dl1sFSpQcoYMk7eiUEM8fiNboiVwvBYNAWVMkUM-LnVUPm3UjvKp0LihYEkZFWOxmuQmj2x25SFUkjus38ERrRqJQBZduxdBHFrWtWg8yOA53BkMU0FFg_r0H3ctl-5GaKw-BWlogU4qXnsq85xy0EoenRk7FPV8g_ulJw"}, {"kty": "EC", "use": "sig", "kid": "NC1pdGRQN002bWM3bk1xX2R0SktscElqbFdtN29ITDV2WVd2b0hOYzREVQ", "crv": "P-256", "x": "kK7Qp1woSerI7rUOAwW_4sU6ZmwV3wwXKX3VU-v2fMI", "y": "iPWd_Pjq6EjxYy08KNFZ3PxhEwgWHgAQTTknlKMKJA0"}]}

tests/test_13_oidc_service.py

@@ -891,9 +891,8 @@ def test_construct(self):
             'token_response', 'abcde')
         _req = self.service.construct(state='abcde')
         assert isinstance(_req, EndSessionRequest)
-        assert len(_req) == 3
-        assert set(_req.keys()) == {'state', 'id_token_hint',
-                                    'post_logout_redirect_uri'}
+        assert len(_req) == 2
+        assert set(_req.keys()) == {'state', 'id_token_hint'}
 
 
 def test_authz_service_conf():

tests/test_20_rp_handler_oidc.py

@@ -312,7 +312,7 @@ def test_do_client_registration(self):
         # only 2 things should have happened
 
         assert self.rph.hash2issuer['github'] == issuer
-        assert client.client_get("service_context").post_logout_redirect_uris == []
+        assert client.client_get("service_context").callback.get("post_logout_redirect_uris") is None
 
     def test_do_client_setup(self):
         client = self.rph.client_setup('github')